The ICO is the subject of the second of the Prizeologist’s short posts on the organisations which regulate how prize promotions are run (the first looked at the ASA – you can read that here).
Need to know: The ICO is an independent body, which protects ‘information rights’ in the UK. Its work covers compliance with a number of pieces of legislation, but principally the Data Protection Act 1998 and the Freedom of Information Act 2000. The new General Data Protection Regulation (GDPR), which comes into force next May, will also be within the ICO’s remit.
So how does that relate to prize promotions? Well, if you hold personal information about people who’ve entered a competition or promotion, you must register with the ICO (this may change once the GDPR is in place – we don’t know yet) and if you want to send those entrants further communications – information about special offers or a newsletter, for example – you must obtain their consent to do that in advance.
Compliance with information rights legislation should not to be taken lightly (see Penalties below), because individual members of the public can and do raise concerns about specific organisations with the ICO. There’s more detail about how the ICO deals with complaints in this video.
Famous cases: In October 2016, with a whopping £400,000 fine was issued to telecoms company TalkTalk for failing to prevent a cyber attack in which 156,959 customers had their personal information, including their names, addresses, dates of birth, phone numbers, email addresses and, in 15,656 cases, their bank details, stolen.
Penalties: When there’s been a serious breach of the legislation, the ICO prefers to work with the offending organisation to make sure it gets it right in the future. However, if that organisation isn’t responsive the ICO may also take what it calls ‘enforcement action’. This can include prosecution under the Data Protection Act and in particularly serious cases the ICO can impose a fine – of up to £500.00. In 2016-17, the ICO imposed fines totalling more than £1.9 million for unlawful marketing activities.
And finally: When you’re running prize promotions, make sure you have consent for marketing communications – in other words get the opt-ins right. You cannot automatically add all your entrants’ details to your email newsletter. Compliance with the relevant legislation is an area where we at Prizeology really know our stuff, so we’re well placed to help you ensure you don’t fall foul of the ICO.
Sarah Burns is Prizeology’s Chief Prizeologist, an IPM Board Director, and a SCAMbassador for National Trading Standards Scams Team.